Best practices in information security

Fortify Software and Cigital have announced the release of the ‘Building Security In Maturity Model for Europe’ or ‘BSIMM Europe’, a guidance document written from the results of a large benchmarking project. BSIMM Europe illuminates the software security practices of some of the most advanced organizations in Europe, including Nokia, SWIFT, Standard Life, Telecom Italia, and Thomson Reuters, and four companies that chose to remain anonymous.

Released in March 2009, the original BSIMM study was based on in-depth interviews with leading enterprises including Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust & Clearing Corporation (DTCC). BSIMM Europe describes a set of activities practiced by nine European firms chosen from among the 56 most successful software security initiatives in the world. Unlike some industry standards, BSIMM is a structured set of practices based on real-world data rather than philosophy and ideas. BSIMM provides insight on what successful organizations actually do to build security into their software and mitigate the business risk associated with insecure applications.

“We are very grateful to the European participants in the BSIMM Europe study, and for the chance to compare and contrast large-scale software security initiatives in different geographies,” said Dr. Gary McGraw, CTO of Cigital and author of the best-selling book ‘Software Security’. “Using BSIMM, an organization can determine where its software security initiative stands, figure out how to evolve its initiative strategically, or even get a brand new initiative off the ground. BSIMM is a tool for identifying realistic business goals and implementing those technical software security activities that make the most sense for an organization.”

The authors collected data on each European firm’s software security activities for strategy and metrics, training, standards and requirements, security testing, code review, etc., and uncovered a number of common themes among each of the successful initiatives, including:

- In general, European approaches to software security have many activities in common with US initiatives. European software security approaches place more emphasis on process than do their US counterparts, and also emphasize privacy to a greater extent.

- Eleven activities were observed that all European firms practice, including publishing a process, identifying gates, creating secure coding standards, and identifying PII obligations.

- There are fifteen BSIMM activities (of 110) not observed in Europe at all.

‘Building Security In Maturity Model for Europe’ can be obtained free of charge from http://bsi-mm.com

•Date: 13th Nov 2009• Region: UK/Europe •Type: Article •Topic: ISM
Rate this article or make a comment - click here